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DETAILED ACTION 

1 . The communication filed on 6/25/04 did not add, cancel, or modify any claims. 
Claims 1-21 remain pending for examination. 



Response to Arguments 

2. Applicant's arguments filed 6/25/04 have been fully considered but they are not 
persuasive. 

Applicant argues, ". . .there is no disclosure [in the Tabata reference] that the ingress edge 
node is coupled to the egress edge node, as would be required by claim 1." Examiner disagrees 
with this contention, as Liu clearly teaches that it is possible for an edge node to 
perform both functions (paragraph 0046, lines 6-8); in this embodiment of the Invention, 
It is apparent that the ingress edge node is coupled to the egress edge node. Further, it 
can be seen in Figure 1 of Tabata that all edge nodes are coupled to each other by the 
backbone network (element 3 of Figure 1 ). 

3. Applicant argues, ". . .there is no suggestion or disclosure [in the Liu reference] of 'separate 
access network logical connections for intra-VPN and extra-VPN traffic' as recited by claim 1." 
Examiner disagrees with this contention. Liu teaches that there is a clear distinction to 
be made between intra-VPN and extra-VPN traffic (col. 7, lines 30-40). It is also well 
known In the art and implicitly understood that IP-enabled devices are able to send 
traffic among multiple separate logical ports, which can be construed to be logical 
connections under the broadest definition of the term. Thus, at the bare minimum the 
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suggestion exists in Liu that separate access network logical connections for intra- and 
extra-VPN traffic would have been obvious to one of ordinary skill in the art to 
implement for Liu. Furthermore, Applicant is reminded that the rejection of claim 1 is 
based on the teachings of Liu as modified by the teachings of Tabata. In response to 
applicant's arguments against the references individually, one cannot show 
nonobviousness by attacking references individually where the rejections are based on 
combinations of references. See In re Keller, 642 F.2d 413, 208 USPQ 871 (CCPA 
1981); In re Merck & Co., 800 F.2d 1091. 231 USPQ 375 (Fed. Cir. 1986). 
4. Applicant argues, "In contrast, claim 1 recites logically partitioning intra-VPN and extra-VPN 
traffic, ' which is nowhere suggested or disclosed by Tabata. Moreover, Tabata 's limiting of the input 
bandwidth of an in-network pacl<et does not satisfy ' a plurality of ingress boundary routers coupled to the 
one ore more egress boundary routers for communication utilizing a network-based VPN protocol that 
logically partitions intra-VPN and extra-VPN traffic, such that denial of service attacks on said access 
link originating from sources outside the VPN can be prevented' as recited by claim 1, since the 
restriction on bandwidth occurs on in-network packets according to predetermined quality control 
information to perform control such that an in-network packet exceeding the bandwidth based on a 
contract with a user is not transmitted to the backbone network of Tabata. (par. 0026) This deficiency is 
not cured by any reasonable combination of Liu and Tabata." Examiner contends that this would 
have been an obvious development for one of ordinary skill in the art at the time the 
invention was made to implement. Note that the invention by Tabata routes packets 
according to quality control information received by the policy server as well as the 
Destination IP address found in the in-network packet header (paras. 0090 and 0096). 
It is well known in the art that all IP packets possess a "Destination IP address" field in 
the IPv4 header, including those designated "in-network" packets by Tabata (Figure 2). 
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It would have been obvious to one of ordinary skill in the art at the time the invention 
was made to use the Destination IP address field found in the IPv4 header, as opposed 
to the one found in the in-network header (Figure 3) as the basis for determining 
whether the packet should be discarded in accordance with the quality control 
information, with the motivation being to prevent denial of service attacks on an access 
link from sources outside the VPN. 

5. Applicant's arguments regarding the rejections of independent claims 9 and 16, 
as well as dependent claims 2-8, 10-15, and 17-20 have been fully considered but are 
not persuasive, based on the same grounds as cited in the preceding paragraph. 

6. Applicant argues, "/n its rejection of claim 21, the Office Action asserts that it would have 

been obvious to 'modify the teachings of Liu such that precedence information is used to partition the 
traffic, ' and that the motivation would be to 'prevent a bandwidth consumption attack. ' (Office Action, page 
7) However, the system of Liu examines packets to determine whether or not they are VPN traffic. 
Packets determined to be VPN traffic are processed for compression, encryption, and authentication rules 
according to the packet's VPN group, and packets determined to be non-VPN traffic are either passed 
through or discarded, (col 8: 17-39) The system of Tabata restricts the bandwidth for in-network packets 
according to predetermined quality control information to perform control such that an in-network packet 
exceeding the bandwidth based on a contract with the user is not transmitted to the backbone network of 
Tabata. (par. 0026) This is done to 'secure a required bandwidth for each end user* in order to ensure a 
communication bandwidth available to each end user for quality control, (pars. 0007 and 0010) Even if 
the two references were combinable, this type of modification to the system of Liu would do no more than 
ensure a communication bandwidth to each end user for quality control, and would not resist 'denial of 
service attacks on an access link to a destination host included in a VPN. ' This deficiency is not satisfied 
by any reasonable combination of Liu and Tabata." Examiner disagrees with this contention, as 
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it would have been obvious to one of ordinary skill in the art at the time the invention 
was made to allow for the possibility. Again it should be noted that the primary 
detemiinant for a packet to be passed or dropped in accordance with the quality control 
information is the Destination IP Address (Tabata, paragraphs 0057, 0090, and 0096). 
This field is not endemic to the in-network packet header but was well known in the art 
as being a required field in all IPv4 packet headers, including the packets used in 
Tabata (Tabata, Figure 2). In addition, given that the backbone network depicted in 
Figure 1 of Tabata is identified as the Internet, it would be reasonable to assume that 
any node connected to the backbone network would be capable of instigating a denial 
of service attack against a particular node, regardless of whether the attacking node is a 
member of the same VPN as the defending node. Therefore, it would have been 
obvious to one of ordinary skill in the art at the time the invention was made to modify 
the combined teachings of Liu and Tabata to make a quality control detemnination of all 
packets sent to a node, and not simply those that are In-network, by using the 
Destination IP Address field in the IP header rather than the Destination IP Address 
found in the In-network header. The motivation for this would be to help defend against 
denial of service attacks instigated from outside the VPN. 

Claim Rejections • 35 USC § 103 
7. The text of those sections of Title 35, U.S. Code not included in this action can 
be found in a prior Office action. 



Application/Control Number: 10/023,043 Page 6 

Art Unit: 2135 

8. Claims 1-21 are rejected as being unpatentable over US 6079020 Issued to Liu, 
herein referred to as Liu in view of US 2001/0016914 issued to Tabata, herein referred 
to as Tabata. 

Referring to Claim 1 : 

Liu disclose a network system that resists denial of service attacks on an access 
link to a destination host belonging to a virtual private network (VPN), said network 
system comprising: 

one or more egress boundary routers having connections to an access network 
including the access link (Fig. 1), wherein said one or more egress boundary routers 
transmit intra-VPN traffic from sources within the VPN and extra-VPN traffic from 
sources outside the VPN within separate access network logical connections for 
Intra-VPN and extra-VPN traffic (col 7, lines 20-45; Fig 2); and 

Liu does not explicitly disclose "a plurality of ingress boundary routers coupled to 
the one or more egress boundary routers for communication utilizing a network-based 
VPN protocol that logically partitions Intra-VPN and extra-VPN traffic, such that denial of 
service attacks on said access link originating from sources outside the VPN can be 
prevented". 

Tabata discloses a plurality of ingress boundary routers coupled to the one or 
more egress boundary routers for communication utilizing a network-based VPN 
protocol that logically partitions intra-VPN and extra-VPN traffic (paragraph 0046, 0048; 
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paragraph 0084; paragraph 0091 ), such that denial of service attacl<s on said access 
link originating from sources outside the VPN can be prevented (paragraph 0084). 

At the time the invention was made, it would have been obvious to a person of 
ordinary skill in the art to modify the teachings of Liu such that a denial of service attack 
is prevented. One of ordinary skill in the art would have been motivated to do this 
because it would prevent a bandwidth consumption attack (Tabata: paragraph 0084). 

Referring to Claim 9: 

Liu discloses a network system, comprising: an access network having an 
access link to a destination host belonging to a virtual private network (VPN), wherein 
said access network supports a first logical connection for intra-VPN traffic from sources 
within the VPN and a second logical connection for extra-VPN traffic from sources 
outside the VPN (col 7, lines 20-45; Fig. 1-2); 

Liu does not explicitly disclose "one or more egress boundary routers having 
connections to the access network, wherein said one or more egress boundary routers 
transmit intra-VPN traffic toward the destination host via the first logical connection and 
transmit extra-VPN traffic toward the destination host via the second logical connection; 
a plurality of ingress boundary routers coupled to the one or more egress boundary 
routers for communication utilizing a network-based VPN protocol that logically 
partitions intra-VPN and extra-VPN traffic, such that denial of service attacks on said 
access link originating from sources outside the VPN can be prevented" 
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Tabata discloses one or more egress boundary routers having connections to the 
access networl^, wherein said one or more egress boundary routers transmit intra-VPN 
traffic toward the destination host via the first logical connection and transmit extra-VPN 
traffic toward the destination host via the second logical connection (paragraph 0046; 
paragraph 0069; paragraph 0089); a plurality of ingress boundary routers coupled to the 
one or more egress boundary routers for communication utilizing a network-based VPN 
protocol that logically partitions intra-VPN and extra-VPN traffic (Fig. Sparagraph 0046;), 
such that denial of service attacks on said access link originating from sources outside 
the VPN can be prevented (paragraph 0084; paragraph 0090-0093). 

At the time the invention was made, it would have been obvious to a person of 
ordinary skill in the art to modify the teachings of Liu such that a denial of service attack 
is prevented. One of ordinary skill in the art would have been motivated to do this 
because it would prevent a bandwidth consumption attack (Tabata: paragraph 0084). 

Referring to Claim 16: 

Liu discloses a method of protecting an access link to a destination host 
belonging to a virtual private network (VPN) against denial of service attacks, said 
method comprising: in an access network Including the access link, providing a first 
logical connection for intra-VPN traffic from sources within the VPN and a second 
logical connection for extra-VPN traffic from sources outside the VPN (col 7, lines 25- 
45); 
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Liu does not explicitly disclose "communicating, from a plurality of ingress 
boundary routers to one or more egress boundary routers, intra-VPN and extra-VPN 
traffic destined for said destination host, wherein said intra-VPN traffic and said 
extra-VPN traffic are transmitted utilizing a network-based VPN protocol that logically 
partitions intra-VPN and extra-VPN traffic; transmitting intra-VPN traffic from said one or 
more egress boundary routers toward the destination host via the first logical 
connection, and transmitting extra-VPN traffic from said one or more egress boundary 
routers toward the destination host via the second logical connection, such that denial of 
service attacks on said access link originating from sources outside the VPN can be 
prevented." 

Tabata discloses communicating, from a plurality of Ingress boundary routers to 
one or more egress boundary routers, intra-VPN and extra-VPN traffic destined for said 
destination host (Fig. 5; paragraph 0046), wherein said intra-VPN traffic and said 
extra-VPN traffic are transmitted utilizing a network-based VPN protocol that logically 
partitions intra-VPN and extra-VPN traffic (paragraph 0064; paragraph 0069); 
transmitting intra-VPN traffic from said one or more egress boundary routers toward the 
destination host via the first logical connection, and transmitting extra-VPN traffic from 
said one or more egress boundary routers toward the destination host via the second 
logical connection (paragraphs 0071-0073), such that denial of service attacks on said 
access link originating from sources outside the VPN can be prevented (paragraph 
0084). 
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At the time the invention was made, it would have been obvious to a person of 
ordinary skill in the art to modify the teachings of Liu such that a denial of service attack 
Is prevented. One of ordinary skill in the art would have been motivated to do this 
because it would prevent a bandwidth consumption attack (Tabata: paragraph 0084). 

Referring to Claim 21 : 

Liu discloses a method for resisting denial of service attacks on an access link to 
a destination host included in a VPN, the method comprising the steps of: intra-VPN 
traffic flowing from sources included in the VPN (col 7, lines 25-45); extra-VPN traffic 
flowing from sources outside the VPN (col 7, lines 25-45); 

Liu does not explicitly disclose "assigning a first priority level to traffic intra-VPN 
traffic flowing from sources included in the VPN; assigning a second priority level to 
traffic extra-VPN traffic flowing from sources outside the VPN; and granting, to traffic 
having the first priority level at the access link, precedence of access to the destination 
host over traffic having the second priority level." 

Tabata discloses assigning a first priority level to traffic intra-VPN traffic flowing 
from sources included in the VPN; assigning a second priority level to traffic extra-VPN 
traffic flowing from sources outside the VPN; and granting, to traffic having the first 
priority level at the access link, precedence of access to the destination host over traffic 
having the second priority level (paragraph 0089). 

At the time the invention was made, it would have been obvious to a person of 
ordinary skill in the art to modify the teachings of Liu such that precedence information 
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is used to partition the traffic. One of ordinary skill in the art would have been motivated 
to do this because it would prevent a bandwidth consumption attack (Tabata: 
paragraphs 0084-0087). 

Referring to Claims 2, 10 and 17: 

Liu in view of Tabata disclose the limitations of Claims 1 , 9 and 16 above. 
Tabata further discloses a Differentiated Services network coupling at least one of the 
plurality of ingress boundary routers and at least one of the one or more egress 
boundary routers (paragraph 0063). 

Referring to Claims 3 and 1 1 : 

Liu in view of Tabata disclose the limitations of Claims 1 and 9 above. Liu further 
discloses a plurality of customer premises equipment (CPE) edge routers each coupled 
to a respective one of said plurality of ingress boundary routers (col 5, line 60-col 6, line 
10). 



Referring to Claim 4: 

Liu In view of Tabata disclose the limitations of Claim 1 above, 
discloses further comprising the access network (Fig. 1). 



Liu further 
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Referring to Claims 5 and 12: 

Liu in view of Tabata disclose the limitations of Claims 4 and 9 above. Liu furtlier 
discloses a customer premises equipment (CPE) edge router to the access link (Fig. 1 ; 
col 6, lines 1-25). 

Referring to Claims 6, 13 and 18: 

Liu in view of Tabata disclose the limitations of Claims 5, 12 and 16 above. 
Tabata further discloses said CPE edge router having a physical port coupled to said 
access link, said physical port implementing a first logical port for intra-VPN traffic and a 
second logical port for extra-VPN traffic (paragraph 0069). 

Referring to Claims 7, 14 and 19: 

Liu in view of Tabata disclose the limitations of Claims 1, 9 and 16 above. 
Tabata further discloses at least one of said plurality of ingress boundary routers 
Implements a plurality of tunnels that logically partition intra-VPN and extra-VPN traffic 
(paragraph 0108). 

Referring to Claims 8, 15 and 20: 

Liu in view of Tabata disclose the limitations of Claims 1, 9 and 16 above. 
Tabata further discloses said one or more egress boundary routers provide a plurality of 
different qualities of services to said intra-VPN traffic (paragraph 056-0058; paragraph 
0101). 



Application/Control Number: 10/023,043 
Art Unit: 2135 



Page lj 



Conclusion 

1 0. THIS ACTION IS MADE FINAL. Applicant is reminded of tfie extension of time 
policy as set forth in 37 CFR 1 .136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1 .136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the mailing date of this final action. 

1 1 . Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Tom Gyorfi whose telephone number is (571) 272-3849. 
The examiner can normally be reached on 8:00am - 4:30pm Monday - Friday. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor. Kim Vu can be reached on (571) 272-3859. the fax phone number for the 
organization where this application or proceeding is assigned is 703-872-9306. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more infonnation about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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